Weekly threat roundup: SolarWinds, Microsoft, SonicWall

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Hackers targeting SolarWinds’ Serv-U suite

SolarWinds has warned that cyber criminals are targeting a vulnerability in its Serv-U Managed File Transfer (MFT), Serv-U Secure File Transfer Protocol (FTP), and Serv-U Gateway products, following an advisory from Microsoft.

The firm has released a hotfix to address CVE-2021-35211, which hackers have exploited to run arbitrary code with privileges on targeted systems. The flaw exists in the latest Serv-U version 15.2.3 HF1, released on 5 May 2021, and all prior versions, with customers urged to upgrade immediately to version 15.3.2 HF2.

No other SolarWinds product is affected by this vulnerability, with Microsoft attributing exploitation attempts to DEV-0322, a group based in China, which is attempting to infiltrate US defence and software companies.

Microsoft has a another go at fixing PrintNightmare

The Windows developer has issued 117 fixes as part of its latest wave of Patch Tuesday updates, including a second attempt to patch CVE-2021-34527 - also referred to as PrintNightmare.

This second attempt comes after initial efforts fell short, and a security researcher demonstrated that exploitation of the Print Spooler component was still possible so long as the targeted device had enabled the feature ‘point and print’.

This latest wave of updates also includes patches for three additional zero-day bugs that have been exploited, among nine zero-day flaws overall. Of the 117, 13 are rated as critical, while 103 are rated as important.

Chained Schneider Electric bugs could lead to remote hacking

Researchers have found a vulnerability in Schneider Electric process logic controllers (PLCs) that could allow hackers to gain complete control of vulnerable systems by bypassing security controls.

Dubbed ModiPwn and tracked as CVE-2021-22779, Armis researchers found that this flaw, embedded in Modicon M580 and M340 controllers, could allow remote attackers to run code natively on the PLCs, modifying their functionality.

Schneider Electric had implemented layers of security in its controllers to prevent abuse of undocumented Modbus commands. The flaw can be exploited, however, to bypass this implementation. Hackers can exploit it to read the password hash from the PLC’s memory and use it to skip authentication. They could then upload a new project file that doesn’t have a password, which downgrades the device’s security, removing application password functionality and allowing a chained attack.

The company is working on a patch to address ModiPwn, and has published a set of mitigations that users can implement in the meantime.

Kaseya patches VSA flaws exploited to conduct ransomware attack

Software firm Kaseya has issued patches for three vulnerabilities that hackers abused to execute a devasting ransomware attack in early July.

An emergency update for the cloud-based IT management and remote monitoring platform VSA addressed three bugs tracked as CVE-2021-30116, CVE-2021-30119, and CVE-3031-30120. These concern credentials leakage and a business logic flaw, a cross-site scripting (XSS) vulnerability, and a two-factor authentication (2FA) bypass, respectively.

They’ve been patched alongside four other flaws that were identified by the security firm DIVD in April this year, with the two companies working together to issue fixes, only for REvil operators to beat them to the punch and launch their attack.

The attack saw hackers abuse the flaws to target VSA and launch ransomware attacks against the company, as well as a handful of on-premise customers. Because VSA is used by a number of Managed Service Providers (MSPs), the compromised internet-facing VSA servers also served as an entry point to target their customers, with 1,500 businesses thought to have been affected overall.

SonicWall warns users to turn off EOL hardware ahead of ‘imminent ransomware campaign’

Networking device manufacturer SonicWall has warned its customers about an imminent ransomware campaign using stolen credentials targeting its end-of-life devices and units running outdated firmware.

There’s an imminent threat against unpatched Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) devices, the company confirmed in an email to customers, especially those still using end-of-life (EOL) 8.x firmware.

Customers using outdated SRA hardware should also disconnect these devices immediately and reset passwords, including SRA 4600/1600, SRA 4200/1200 and SSL-VPN 200/2000/400. SMA 400/200, meanwhile, is still supported in a limited retirement mode, with customers urged to update to the latest firmware versions.

Should customers not mitigate the risks or update their systems immediately, it’s extremely likely their devices will be targeted in the “imminent” ransomware campaign, of which specific details haven’t been provided.